Since not every request (actually very few?) requires some kind of a map to be dispatched, the Access Control should reside in the Application Controller. Otherwise the map will only contain access control information, no?
Where we differ is that the Captain thinks that Access Control should be done in the FC, I think it can be done in the FC, but also in the AC as well. To do Access Control in the FC usually requires a map containing the Access Control information. In PHP it is often easier to put the Access Control into the code of the AC rather than have a map. This is an area where Dependency Injection would bridge the gap by allowing both with the same call.